home

httpfilter.exe

The application httpfilter.exe has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. While running, it connects to the Internet address ip72.156.odnoklassniki.ru on port 443.
MD5:
c538e95bca6203733cd88c0a21940aa7

SHA-1:
a4d46ad02dcac3c66d6ec9db02fec5bb7bde7d62

SHA-256:
723dfe426c2eaccb47a1f9bc635189516988e4bb8f1b5d1c3310f4bf58e339bb

Scanner detections:
18 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 5:55:58 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Uds.Dangerousobject.Multi!c
2.1.4+

AhnLab V3 Security
Adware/Win32.MediaMagnet.N2081275348
3.7.5.15

avast!
Win32:Dropper-gen [Drp]
2014.9-161009

AVG
Generic_c
2017.0.2596

Dr.Web
Trojan.LoadMoney.1764
9.0.1.0283

ESET NOD32
Win32/MediaMagnet.CS potentially unwanted application
6.3.12010.0

G Data
Win32.Trojan.Agent.YGP19Y
16.10.25

K7 AntiVirus
Adware
13.242.21114

Kaspersky
not-a-virus:AdWare.NSIS.MediaMagnet
14.0.0.-526

McAfee
RDN/Generic.dx
5600.6252

Panda Antivirus
Trj/CI.A
16.10.09.02

Rising Antivirus
PUA.MediaMagnet!8.89-2B8xYYZIrZU (cloud)
23.00.65.161007

Sophos
Generic PUA KE (PUA)
4.98

Trend Micro House Call
TROJ_GEN.R01BC0OIH16
7.2.283

Trend Micro
TROJ_GEN.R01BC0OIH16
10.465.09

Vba32 AntiVirus
AdWare.MediaMagnet
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
52852

ViRobot
Trojan.Win32.Z.Mediamagnet.624457[h]
2014.3.20.0

File size:
609.8 KB (624,457 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\host service\httpfilter.exe

File PE Metadata
Compilation timestamp:
12/27/2015 3:38:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:T9zvNTz70Puj5CKuzbxboFDvm7d7w4sGtVmABYJ3lPt3pU8:T9ZsWj5CKuzb2Lm71w4wABYJ/1

Entry address:
0x324F

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 57, 33, DB, 68, 01, 80, 00, 00, 89, 5C, 24, 1C, C7, 44, 24, 14, 30, 91, 40, 00, 33, F6, C6, 44, 24, 18, 20, FF, 15, B8, 70, 40, 00, FF, 15, B4, 70, 40, 00, 66, 3D, 06, 00, 74, 11, 53, E8, FC, 2D, 00, 00, 3B, C3, 74, 07, 68, 00, 0C, 00, 00, FF, D0, 68, E0, 91, 40, 00, E8, 7D, 2D, 00, 00, 68, D8, 91, 40, 00, E8, 73, 2D, 00, 00, 68, CC, 91, 40, 00, E8, 69, 2D, 00, 00, 6A, 0D, E8, CC, 2D, 00, 00, 6A, 0B, E8, C5, 2D, 00, 00, A3, 84, 3F, 42, 00, FF, 15, 34, 70, 40, 00, 53, FF...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to e.mail.ru  (217.69.139.215:443)

TCP (HTTP SSL):
Connects to bazafailov.ru  (82.146.39.160:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to ip5.23.odnoklassniki.ru  (5.61.23.5:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to mc.yandex.ru  (87.250.250.119:443)

TCP (HTTP SSL):
Connects to ip159.156.odnoklassniki.ru  (217.20.156.159:443)

TCP (HTTP SSL):
Connects to ip137.156.odnoklassniki.ru  (217.20.156.137:443)

TCP (HTTP SSL):
Connects to api.browser.yandex.ru  (87.250.250.82:443)

TCP (HTTP SSL):
Connects to ip57.155.odnoklassniki.ru  (217.20.155.57:443)

TCP (HTTP SSL):
Connects to ip213.152.odnoklassniki.ru  (217.20.152.213:443)

TCP (HTTP SSL):
Connects to ec2-184-73-225-233.compute-1.amazonaws.com  (184.73.225.233:443)

TCP (HTTP SSL):
Connects to ip58.155.odnoklassniki.ru  (217.20.155.58:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-cdg2.facebook.com  (179.60.192.3:443)

TCP (HTTP SSL):
Connects to 230.28.211.130.bc.googleusercontent.com  (130.211.28.230:443)

TCP (HTTP):
Connects to tickets.nashestvie.ru  (83.137.54.41:80)

TCP (HTTP SSL):
Connects to sba.search.yandex.net  (77.88.21.232:443)

TCP (HTTP SSL):
Connects to ip72.156.odnoklassniki.ru  (217.20.156.72:443)

TCP (HTTP SSL):
Connects to ip158.156.odnoklassniki.ru  (217.20.156.158:443)

TCP (HTTP SSL):
Connects to ec2-54-174-247-15.compute-1.amazonaws.com  (54.174.247.15:443)

Remove httpfilter.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.